Docker Security - Challenges & Best Practice
Docker Security Explained
What is Docker security?
Docker security is the practice of protecting containers, applications, host systems, and anything else related to Docker. While containerization can improve application security, there’s also the potential for misconfigurations that could introduce vulnerabilities. By following Docker security best practices and using automated security tools, development teams can reduce the risks associated with Docker containers.
Why is Docker security important?
Docker security is critical because most organizations now use containers to build and deploy applications. With so many containers in production, a vulnerability within any single container can impact the overall security posture of an organization’s applications and infrastructure. That’s why it's important to scan for vulnerabilities in images (both the initial base images and the packages and software added to them), identify potential misconfigurations, implement effective runtime security, and follow other Docker security best practices.
Container security for DevSecOps
Find and fix container vulnerabilities for free with Snyk.
Challenges in Docker security
There are five major areas of concern when it comes to Docker security:
Kernel capabilities
The kernel is the heart of any host system — it’s responsible for managing the interactions between the hardware and software. Since the kernel has so much control, Docker aims to limit the set of capabilities given to each container to only those necessary. However, there’s still a risk that the capabilities and volume mounts given to a container provide incomplete isolation, which could increase the attack surface considerably.
Namespaces
Another aspect of Docker and kernel security is the use of kernel namespaces to isolate processes running within Docker containers from other containers or the host. This is critical for preventing container breakout and minimizing the damage one compromised container can have on the rest of the infrastructure.
Docker daemon attack surface
The Docker daemon is a background process that manages all the containers running on a single host. Since the daemon requires root privileges (unless you opt into rootless mode), it’s important to limit control of the Docker daemon itself to only trusted users. This prevents malicious actors from spinning up arbitrary containers with escalated privileges on the host system.
Container configuration loopholes
Docker container configurations (such as Dockerfiles) are one of the most common sources of security vulnerabilities, but also one of the easiest risk areas to improve. Using automated scanning tools, development teams can find and fix Docker security issues or misconfigurations before they hit production.
Kernel hardening features
Besides configuring kernel capabilities and namespaces, there are other kernel security features that can be used to harden a host and improve Docker security. For example, a kernel can be run with grsecurity and PaX to add an extra layer of security. The additional safety checks these solutions provide can protect against many exploits without requiring any configuration changes to Docker.
Tools for Docker security hardening
Here are four tools you can use to harden your Docker deployments today.
1. Snyk
Snyk is a scanning tool that can automatically discover potential vulnerabilities within not only your container images, but also the application code and dependencies inside your containers and the infrastructure as code (IaC) used to deploy your containers. This enables development teams to implement end-to-end Docker security using a single tool.
2. AppArmor
AppArmor is a Linux application security system that protects the operating system and applications from threats. By locking down vulnerable processes, AppArmor can limit the potential damage of an exploit.
3. SELinux
SELinux, or security-enhanced Linux, is a security architecture for the Linux operating system that gives administrators more control over access rights. Using a set of security policies, SELinux can prevent unauthorized access to applications, processes, and files on a host system.
4. grsecurity
grsecurity is an extensive set of patches for the Linux Kernel that enhance security by protecting against threats using intelligent access control, memory corruption defenses, and other system hardening techniques. Unlike other kernel hardening solutions, grsecurity specializes in zero-day vulnerabilities.
Docker Security best practices
There are four main categories of best practices for Docker security:
Dockerfile security
Since Dockerfiles use a base image that’s often from public repositories, part of shifting Docker security left is choosing secure base images from the start. Besides a secure base image, it’s important to continuously scan any other image dependencies for vulnerabilities as well. Check out our 3 steps to container security produced with Docker.
Docker runtime security
During runtime, the most important considerations for security are ensuring containers are adequately isolated and that the kernel of the host is hardened against potential threats. This prevents container breakout and an escalation of privileges allowing actors to take control of the host.
Supply chain security
As mentioned before, many images come from a public source like the Docker Hub or other container registries. These images should be vetted for adequate security and trustworthiness before they’re used. Signing and verifying images is also a great way to prevent man-in-the-middle attacks when pushing and pulling registry images.
Container orchestration security
Most containerized applications are run using an orchestration platform like Kubernetes that manages the deployment of the individual containers. It's important to scan the configuration files related to container orchestration for potential vulnerabilities as well. One of the key configuration APIs for Pods and Containers is SecurityContext, which we cover in detail in this cheat sheet: 10 Kubernetes Security Context settings you should understand.
For more specific tips, see our Docker security cheat sheet: 10 Docker security best practices
Container security for DevSecOps
Find and fix container vulnerabilities for free with Snyk.
Snyk for Docker security
Snyk’s comprehensive vulnerability scanning platform protects all the components of Dockerized workloads, from the application source code and dependencies to the containers and IaC configurations. In fact, the `docker scan` command within the Docker CLI is powered by Snyk thanks to the expanding partnership and integrations between both ecosystems.
As the software industry continues to shift towards containerized applications, Snyk and Docker are working together to make it faster and easier to build and deploy secure containers. To get started securing your container images, go to: https://snyk.co/SignUp
Docker security FAQs
Is Docker a security risk?
Docker itself isn’t a security risk, but organizations should take precautions to ensure they’ve securely configured their containers, hosts, and anything else related to Docker. This includes the security of Dockerfiles when creating images and ensuring the security of everything during runtime, such as network ports, user privileges, mounted filesystem access, and more.
How do you secure Docker?
Securing Docker requires a holistic approach that covers not just the container, but the contents of the container (source code and dependencies), the configurations used to run them, and much more. By implementing strong security measures across each of these risk areas, development teams can safely use Docker to deploy their business-critical applications.
Up Next
Three Steps to Container Image Security
Follow our practical guide to container security, developed in partnership with Docker. 3 Essential steps to run your containers securely.
Keep reading